DARPA will use decoy documents to catch leaks

The U.S. Department of Defense plans to discourage would-be document leakers by planting false documents, but there is a twist.

These decoy documents, as they are described, sound sophisticated. The files employ a security feature which embeds the equivalent of a homing device inside the document. When one of these files are opened, it automatically alerts a DARPA system administrator, enumerates details about the computer and sends that information out. Reportedly, these documents can send your IP address, time, location and host name but additional information may also be possible.

DARPA describes one goal of the program as, :generating and distributing believable misinformation." As part of the project, these automatically-generated decoy documents will be purposely conspicuous, increasing the likelihood with which would-be document leakers will access them. The files are also intended to be believable, so as to appear authentic to those who would leak them.

The quote below is from a Department of Defense projects abstract:

The recent disclosure of sensitive and classified government documents through WikiLeaks demonstrates a new systemic threat, exfiltration and broad global broadcast of government confidential data and information. We propose to develop techniques and mechanisms for identifying likely malicious insiders within an organization by leveraging automatically generated misinformation and modern system and network monitoring technologies such as Data Leakage Prevention (DLP). The proposed scheme focuses on and exploits what malicious insiders seek (illicitly acquired information), as opposed to incidental signs of misbehavior, providing a robust alternative and a good complement to such mechanisms. We propose to develop a baseline system that will demonstrate the feasibility of identifying specific types of insiders by developing a prototype for automatically generating and distributing believable misinformation based on administrator-defined templates, and then tracking access and attempted misuse of it. The technology to be commercialized has been licensed and transferred from Columbia University. The proposed prototype will integrate the deception technology and host sensors with open source Data Leak Prevention technology to demonstrate the essential functions and core features of a product suitable for government customers to mitigate the insider threat and thwart the exfiltration of sensitive government information.

Our more tech-savvy readers may realize some of the glaring technical limitations surrounding such decoy documents. For example, potential leakers could easily use firewall software to block outgoing network communications or simply disconnect from the Internet while viewing the documents. There may also be ways to detect these false documents in the future, as well.

Despite those obvious limitations, the project still achieves its goal. Document leakers may become more sophisticated to avoid detection, but ultimately it requires more time and extra scrutiny. DARPA is hoping that extra effort make large leaks like this one unmanageable for organizations like Wikileaks.

If these "misinformative" decoys cannot be easily distinguished from authentic documents, then the leaked information itself may lose public credibility. It also stands to reason that if the risk of getting caught is higher, more casual leakers will be discouraged from publishing confidential information.

If you would like to sample the technology, you can generate your own decoy documents here. Try it out and see what you think.